Kaspersky Internet Security 2015 - General Impression

[hjlbx]

Hello,

This is a mini-review of Kaspersky Internet Security 2015.

Pros:

• Top-tier protection based on testing against samples from MT's Malware Hub.
• Comprehensive, all-inclusive features including built-in Task Manager and network monitor.
• Impact on my W8.1 system reasonably good during normal use with default settings (not while scan running; but not as low as BD). Long system re-start on my specific system, but low resource usage during normal work-load at desktop.
• Highly automated at default settings generally requiring little user interaction (but not as minimalistic as BitDefender). Default settings are very well optimized. +100 for the smart Russians.
• User is able to figure out what actions KIS has taken to protect system; reasonably clear logging.
• When set to interactive mode notifications are unobtrusive yet demand attention, clear and require concrete decisions (Allow, Block, Delete, Skip, etc) by user.
• Metro App monitoring.
• Highly configurable applications rules (tedious).

Cons:

• Protections reduced on 64-bit systems; Kaspersky products only available in 32-bit versions at this time. For 64-bit system best protection must use Trusted Application Mode.
• System cleaner/optimization is completely unnecessary.
• Some features are not/may not be needed.
• GUI is not optimal; navigation is a "busy" user experience.
• Novice will have no clue regarding powerful policy-based Application Monitoring nor in interactive mode at maximum settings (default settings are optimized by Kaspersky to provide a very high level of security so there typically is not a need to change).
• Alerts only appear on my system for a second or two (I think this is by design to prevent alert freeze issues when multiple alerts appear/but everything is recorded in log detail so not big issue).
• Some very minor GUI\log quirks that may cause confusion.
• There is no means for user to manually add file to Quarantine.
• Stability can be an issue - it shows up in GUI hangs/freezes/craggy at max settings on low-end system.
• Built-in Network Monitor only displays connections with no WHOIS/IP verification capabilities.
• Low-end processor cannot handle intensive tasks - such as scanning 500 file malware packs at maximum settings; will cause AppHang.
• Denying Windows Explorer network access on Public Network breaks internet (this is an advanced user setting).
• Global or app-specific firewall rules can be created, but it is tedious if you want to tightly lock down network security.
• Rules can be created from within firewall alerts, but it is a convoluted multi-step rigmarole that needs improvement. -1 for the Russians.

** SPECIAL NOTE: Trusted Application Mode **
​

Trusted Application Mode deserves a special emphasis as I see some potentially critical issues. The TAM scan, GUI and config options need to be improved. Period. Done incorrectly it can wreck the system (e.g. blocking unrecognized system drivers... by the way, same exact dilemma with Comodo Internet Security that uses a rating scan).:

• The TAM scan should only be performed on a clean system and close attention paid to which apps are allowed and blocked. Inadvertently allow malware\PUP and your goose is cooked.

• TAM scan should be performed on a system preferably right after system start, before certain apps are opened - like a browser - as KIS will detect scripts/potential garbage in the Net Cache and include it in the scan results. Fortunately, they do not get added to the Trusted Files list...it appears KIS filters them out. +1 for the smart Russians.

• There is currently no means to remove entries from the Trusted Mode scan list results; user has to either allow or block. However, KIS will recommend either not enabling TAM or allowing any unknown system files, lest TAM blocks unknown driver or other critical file causing system instability or crashes. Another +1 for the smart Russians. NOTE: On a clean system I would allow all items only after a thorough verification by the user... this is a tedious, but necessary step that will keep the system safe while at the same time prevent serious. You will be very satisfied with the end result.

• TAM scan does not need to be performed on a regular basis as KIS will create auto-rules from Kaspersky Security Network database. This is a huge assist. +1 again for the smart Russians.

Impression:

What I immediately noticed was KIS' automation. For example, it automatically scans modules in active memory, rates them, and then adds them to the Application Monitoring module.

Another useful feature, it has a Trusted Application module that allows the user to manually scan all installed apps, KIS rates them, but leaves it up to the user to "Allow" or "Block" as they deem fit.

The Application Monitoring module is policy-based and is optimally suited to more experienced users. If you understand everything in the policy restrictions list, then you are Neo and have no need of AV.

I think a policy-based sandbox is infinitely more powerful than a virtual sandbox as long as clever bypasses are blocked. I tested KIS (with its file guard turned off) against Malware1's CryptoLocker bypass. KIS blocked it as Unknown/Untrusted. It also blocked the recent JS.Downloader/Bat.Encoder combo posted on MT's Malware Hub (BitDefender, to its credit, allowed the script to run but later detected and cleaned the hidden malicious downloads squirreled away in the Windows temp sub-folder/file). From what I see KIS handily crushes BitDefender and Comodo Internet Security for a number of reasons. There's so much behind this assessment you will just have to trust me.

I think KIS does a better than average job of dealing with malware once its on a system than most. Watching KIS it is more obvious what is being done compared to BD. (BD just does it without explanation...and that is fine, but you may scratch your head once in a while. This only becomes a real issue if a legitimate file is removed by BD and it breaks something.) Restoring legitimate file is more intuitive/easy in KIS.

KIS' default settings are a good balance between security and performance. There are some tweaks that the user may wish to make, one of which is to deactivate "Trust Digitally Signed Applications."

There are a few minor GUI, logging and configuration quirks, but nothing that a seasoned AV user won't figure out quickly. Navigation is a bit tedious and accessing certain settings is not always straight-forward (is multi-step).

One of the best things about KIS is that I didn't experience any bugs on my specific system. If there are any bugs they probably are limited to GUI/logging/notification info quirks. That kind of stuff can really confuse a novice but advanced user with multi-AV softs experience should be able to sort it out quickly.

I personally don't like the GUI all that much (It's OK, it gets the job done), but I am willing to tolerate it because of KIS' high level of protection.

Bottom line ... this one is better suited to user than wants ability to comprehensively monitor system. The highly configurable policy module is essentially a pseudo-HIPS at default settings.

Interactive mode at maximum settings is full-blown classical HIPS and should most definitely not be used by the novice. In fact, the only time that these settings, combined with the highest logging level, are ever - repeat - ever - necessary is if you are trying to track down something screwy on your system. And they should only then be used for short periods of time and then returned to default settings when you are finished.

If you use interactive mode at maximum settings you will quickly become frustrated and form a bad impression of Kaspersky... which is unfortunate as the problem is not Kaspersky, the real problem is that you don't know what you are doing by using KIS in a way for which it was not intended except under dangerous conditions.

Hint: For best user experience with a very high level of protection ... please, use default settings...and also suggest Trusted Applications Mode. And there's no way around it. You have to "put-in your time" using KIS to get a clue.

It offers a good balance of automation while at the same time a high-degree of configurability.

On my system it uses low resources, is stable and I am not seeing any incompatibility issues. In my experience one of the very best (Emsisoft, ESET, Kaspersky).

I gotta tell ya, I am really liking it... despite the mediocre GUI.

To Kaspersky I only add Shadow Defender for dangerous online activities and/or malware testing and MBAM Free.

That, really, is more than sufficient anti-virus protection.

 

[nissimezra]

thanks for the review

 

[cLcL]

hello. great review. i agree with the little-bit-hard to navigate (there are settings and additional tools, and sometimes i forget where is where in the gui )
for novice there is Perform recommended action automatically and Load rules for applications from KSN. and when a program's blocked, that novice supposedly contact Kaspersky tech support to get further info (which i think is really great for novice)
for the behaviour blocker, the Application Monitor (Application Control?) does block the changing of critical system files for low restricted programs, so i think it's decent (though i dont know what those critial settings are ), sure it's not as complete as emsi's behavior blocker, but then again emsi try to block my winfast tv tuner program

and what's system cleaner/optimizations? did you mean vulnerability scan (which i thought is really good) or browser configuration (never tried) or Privacy Cleaner (never tried either )..

for me KIS is really good, but sometimes a bit annoying, especially when installing new program (when offline, eg no ksn), the application control asked too much

thanks.

 

[hjlbx]

sure it's not as complete as emsi's behavior blocker, but then again emsi try to block my winfast tv tuner program

thanks.

Both Emsisoft and Kaspersky (as do all the rest ... except Avira which does not use application rules as it is a basic scanner only) rely heavily upon file ratings ... known good, known bad and unknown ... to control app behavior.

Without the Emsisoft's Anti-Malware Network, its behavior blocker is much less powerful.

The BB monitors for behaviors that have reached the threshold of suspicious...and then queries the AMN. A lot of users are unaware of this fact.

The difference between Kaspersky is that unknown = untrusted (blocked period requiring user interaction) whereas when Emsi is faced with a completely unknown file the BB may or may not generate an initial BB alert. The BB may alert after the file has run for a while, then again it may not. Maybe the surf protection will block a connect attempt to a known/suspected malicious URL or maybe the firewall will alert to connect attempts to/from conspicuously odd ports/IP addresses.

 

[SherKaan]

I have used so many security suites in the past like Trend Micro, Norton, avast!, Avira, Bitdefender, Qihu, Kaspersky, etc. But overall, nothing surpassed Kaspersky. Again, this is just my personal opinion based on my own security experience. Great quality product in many aspects. Highly recommended!

 

[hjlbx]

I have used so many security suites in the past like Trend Micro, Norton, avast!, Avira, Bitdefender, Qihu, Kaspersky, etc. But overall, nothing surpassed Kaspersky. Again, this is just my personal opinion based on my own security experience. Great quality product in many aspects. Highly recommended!

Emsisoft, ESET and Kaspersky are the best. Each has its own approach.

If Emsisoft adds "Block All Unknown Applications" feature then it and KIS will essentially be identical in terms of core protection.

Difference between Emsisoft and Kaspersky is Emsi only offers AV, Firewall, and Behavior Blocker whereas KIS has similar but adds additional features to be a full-featured suite.

For some a suite meets their expectations. For others, like me, I only want what is needed to protect the system...

Kaspersky is one of my absolute favorites.

I think it is one of the best.

 

[SherKaan]

But don't you think Emsisoft is way too heavy on the system? The tests conducted by AV-C confirmed that.

 

[hjlbx]

But don't you think Emsisoft is way too heavy on the system? The tests conducted by AV-C confirmed that.

Emsisoft further optimized and improved performance.

On my W8.1 system I install EAM/EIS on clean system. During installation I perform a full system scan. After that I only use File Guard (real-time on-access scan with optimization [only new and changed files are scanned - like Kaspersky option] for malicious file detection and I rarely perform an on-demand scan.

This is how Emsi developers intended EAM/EIS to work.

I don't even know EAM\EIS is on my system. I just go about my normal activities and rarely see any impact. When the updates occur I may notice it for a few seconds, but that is it.

Other members here at MT that use EAM/EIS report the same.

 

[SherKaan]

I was considering it before I bought KIS. It was dirt cheap at downlaodcrew. May be, in the future, I might give it a try.

 

[hjlbx]

I was considering it before I bought KIS. It was dirt cheap at downlaodcrew. May be, in the future, I might give it a try.

I think KIS will provide the best protection. Especially if you enable:

• Trusted Application Mode
• Un-tick "Trust Digitally Signed Applications."
• Automatically move all unknown files to Untrusted.

Essentially, if the file is not included in the Kaspersky Security Network, then it will be blocked.

Right now, if a file is not included in the Emsisoft Anti-Malware Network and the Behavioral Blocker doesn't detect any suspicious behavior... the app will be allowed to run. Since the Behavior Blocker is not infallible that represents a hole in the protection. Yet it is possible that Surf Protection or the BB will later point to malicious activity.

Of course, you can achieve the same thing by combining EIS with NVT ERP (free) or AppGuard (paid). Although, I've haven't tested the EIS/ERP combo, but there isn't any reason why it wouldn't work. EIS worked fine with AppGuard.

You will like the creation/ease-of-configuration of App Rules much better in EAM/EIS. GUI is very well done.

 

[луноход]

Hi hjlbx,

Thank you for your informative review. I decided to try out the new Kaspersky Total Security, which comes with some anti-logging/anti spy features. Would you (or anyone reading this post) recommend that I still use SpyShelter? I find the product to be a bit schizophrenic, but it's already paid for. Regarding on-demand scanners to accompany KTS: what are your thoughts about HerdProtect? I used it on another PC and it detected malware while MBAM & HitmanPro just sat there quietly reporting nothing of interest.

 

[hjlbx]

Hi hjlbx,

Thank you for your informative review. I decided to try out the new Kaspersky Total Security, which comes with some anti-logging/anti spy features. Would you (or anyone reading this post) recommend that I still use SpyShelter? I find the product to be a bit schizophrenic, but it's already paid for. Regarding on-demand scanners to accompany KTS: what are your thoughts about HerdProtect? I used it on another PC and it detected malware while MBAM & HitmanPro just sat there quietly reporting nothing of interest.

If you use Kaspersky's Trusted Application Mode and set it to send all unknown apps to Untrusted (Blocked) it will protect your system. Kaspersky TAM uses the Default-Deny protection model (white-list of all apps on your system, black-list everything else - depending upon settings) which means it blocks or restricts everything that does not reside in the Kaspersky Security Network database and rated as Trusted. If its not in KSN then it means one of two things: It is a legitimate but not widely used application or its likely adware at best or outright malware at worst. KSN is not infallible though... so I deactivate "Trust Digitally Signed Applications" setting.

I don't even scan items any longer as it is an exercise in futility. If its unknown on my system, then Kaspersky blocks it - so scanning it is a waste of my time. The only way malware will run on my system is if I make the required mult-steps to allow it to run.

herein is the problem for typical user... if you follow what AV suggests you are protected, you do not then you get infected. AV can't overcome user's poor judgment.

If you do not use TAM then yes, you need to add additional scanner. If you can get HerdProtect to work well then it may be just what you like. You have to try it out.

You will see what I mean. With no prior experience it can be confusing but after a while you will figure it out.

For day to day use and reasonable surf habits, Kaspersky with TAM enabled and with the correct settings is more than sufficient. I add only MBAM.

SpyShelter: To be honest I have never used it so I cannot tell you anything about it. I can tell you that I've tried to use other anti-keyloggers and in my experience they always caused some kind of problem... one was serious enough that I just stopped using any of them. My solution is to use Oxynger KeyShield which is freeware. However, I do not think it is actively developed. It works, but Kaspersky has its own built-in data-capture measures - although I do not know how well thy work as its something I never tested. If its schizo on your system then I definitely wouldn't use it with Kaspersky as it is just a matter of time before a serious problem occurs.

HerdProtect: It is still in beta. Plus, when I used it the signatures were up to two weeks old and there were a lot of false positives. In theory it seems like a good idea but in practice it was rough on resources. HerdProtect is going to catch a lot of things MBAM and HMP will not simply because of the sheer amount of combined signatures that it uses. False positives - if that sort of thing bothers you - will be an issue.

 

[hjlbx]

I forgot to mention this details:

Kaspersky detects and notifies user about scripts when using Trusted Application Mode. It will block any unknown scripts. User can allow it if they so choose.

Scripts are one of the greatest dangers and represent one of the greatest challenges for AV. Unless a signature for the script exists it is likely going to run on my system. Kaspersky's Default-Deny is best method...I think. Then I can allow the script if, after researching, it is legitimate and without it something is not working correctly. If script is unnecessary then I do not run it or I can turn it back off at-will.

Those Russians are smart.

In Interactive Mode, Kaspersky's HIPS notifications are, like all other HIPS notifications that I have seen, decipherable by only the most advanced user. What all those many (can be 50 or more) alerts are telling you is that app is making autorun entry, installing Active-X, or installing service, etc, etc. Although the notification doesn't say "Creating Autorun Entry" it gives registry modification/app calls/etc infos which even a lot of advanced users have no idea what it means precisely.

That's the main problem with HIPS notifications I think. In one instance I think I went through in excess of 100 alerts. Not one made sense to me as I do not know the registry like the back of my hand nor am I a programmer.

I use WinPatrol with all my AV because it presents the infos in a way that I understand. Really, it isn't absolutely necessary, but WinPatrol doesn't hog resources and works well with all AV I have used.

 

[hjlbx]

I tested Kaspersky's Trusted Application Mode against the Vault JS.Encoder/Secured.BAT (I think its a screen locker).

I disabled Anti-Virus, Web-Antivrus, Application Control, and Network Attack Blocker. Trusted Application Mode and System Watcher were only modules enabled.

Lauched the secured.bat file. System Watcher module immediately detects and prompts user to Allow, Delete, Block, Exclude. I selected Allow and it is immediately blocked moved to the Untrusted zone.

Everything that is created by secured.bat inherits the restrictions applied to secured.bat and moved to Untrusted and blocked.

Same with 1.js file. It was blocked from running plus moved immediately to the Untrusted zone. Kaspersky conveniently has a History of Access to Modules where script blockings (and other executable file types) are logged and the user can un-block and re-block at-will. This is a really nice touch.

Kaspersky's local system Default-Deny protection model works like a charm. Of course, it is Default-Deny (local system white-listing).

System Watcher and Trusted Application Mode work as described.

+100 for the smart Russians.

 

[hjlbx]

From my perspective Kaspersky Internet Security could be improved by a custom installation option the same as ESET Smart Security.

I do not need Parental Control.

NOTE: When using Safe Money KIS will block the normal actions of Windows modules such as Explorer, Task Manager, etc.

Kaspersky protects browser in Safe Money mode and does not discriminate between Windows or any other app that may access browser data...KIS blocks everything. So you will see alerts about Windows modules accessing browser. This is normal.

 

[луноход]

Thank you for your reply, hjlb. I've implemented the settings you recommend. Thus far, KTS is working fine, though I had to install the product again after the shortcut icon stopped working and it wouldn't launch the application A glitch of some kind and Kaspersky advices to reinstall the product if you encounter it. Look forward to more advice on settings and tests. Good thread.

 

[Raul90]

Denying Windows Explorer network access on Public Network breaks internet (this is an advanced user setting).

Currently trying out Pure3 and this is the same. Any workaround for this..?

 

[Entreri]

I pretty much tried most of the large vendors in the past decade, Kaspersky is the best.

 

[Deleted member 178]

all i know is that Kaspersky = heavy

 

[Deleted member 2913]

hjlbx,

Have you also reviewed Avast?